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Abstract — We  present  a  compositional  SMT-based  algorithm 
for  safety  of  procedural  C  programs  that  takes  the  heap  into 
consideration  as  well.  Existing  SMT-based  approaches  are  either 
largely  restricted  to  handling  linear  arithmetic  operations  and 
properties,  or  are  non-compositional.  We  use  Constrained  Horn 
Clauses  (CHCs)  to  represent  the  verification  conditions  where  the 
memory  operations  are  modeled  using  the  extensional  theory  of 
arrays  (ARR).  First,  we  describe  an  exponential  time  quantifier 
elimination  (QE)  algorithm  for  ARR  which  can  introduce  new 
quantifiers  of  the  index  and  value  sorts.  Second,  we  adapt  the 
QE  algorithm  to  efficiently  obtain  under-approximations  using 
models,  resulting  in  a  polynomial  time  Model  Based  Projection 
(MBP)  algorithm.  Third,  we  integrate  the  MBP  algorithm  into  the 
framework  of  compositional  reasoning  of  procedural  programs 
using  may  and  must  summaries  recently  proposed  by  us.  Our 
solutions  to  the  CHCs  are  currently  restricted  to  quantifier- 
free  formulas.  Finally,  we  describe  our  practical  experience  over 
SV-COMP’15  benchmarks  using  an  implementation  in  the  tool 
Spacer. 

I.  Introduction 

While  many  existing  algorithms  for  SMT-based  model 
checking  of  sequential  programs  are  limited  to  handling  pro¬ 
gram  operations  modeled  using  Linear  Arithmetic  (reals  and 
integers)  [],  verification  of  real-world  programs  requires  us 
to  consider  the  heap  as  well.  When  the  input  program  does 
not  have  recursive  procedures,  one  can  try  eliminating  the 
memory  operations  by  inlining  all  procedure  calls  and  per¬ 
forming  compiler  optimizations  to  lower  memory  into  registers 
(e.g.,  [3],  [13]).  However,  this  approach  has  several  drawbacks, 
such  as  (a)  the  inlined  program  can  be  exponentially  larger 
than  the  original  program  making  it  harder  to  verify,  (b)  the 
resulting  safety  proofs  are  non-compositional,  (c)  it  is  hard 
to  trace  the  resulting  counterexamples  back  to  the  original 
program,  and  (d)  even  with  inlining,  it  is  not  always  possible 
to  lower  memory  into  registers  without  a  significant  blowup 
in  program  size.  Instead,  we  consider  program  representations 
that  faithfully  model  the  heap  using  the  extensional  theory 
of  arrays  (ARR)  [12],  In  this  paper,  we  present  an  efficient, 
compositional,  and  SMT-based  algorithm  for  safety  of  pro¬ 
cedural  C  programs  modeled  using  the  theories  of  Linear 
Integer  Arithmetic  (LIA)  and  ARR.  We  restrict  ourselves 
to  discovering  safety  proofs  involving  only  quantifier-free 
assertions. 
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SMT-based  model  checking  is  traditionally  based  on  mono¬ 
lithic  Bounded  Model  Checking  (BMC)  [5]  which  iteratively 
checks  satisfiability  of  formulas  that  symbolically  represent 
various  unwindings  of  the  program.  However,  the  size  of 
these  formulas  can  grow  exponentially  in  the  input  size  of  the 
program  and  we  recently  developed  a  compositional  frame¬ 
work  for  SMT-based  model  checking  to  address  this  [16],  To 
check  safety  of  an  input  program,  the  compositional  approach 
iteratively  creates  and  checks  local  reachability  queries  for 
individual  procedures.  To  avoid  redundancy  and  enable  reuse, 
we  maintain  two  kinds  of  summaries  for  each  procedure  -  one 
for  under-approximating  and  the  other  for  over-approximating 
its  behavior.  The  creation  of  new  reachability  queries  and  sum¬ 
maries  involves  existentially  quantifying  auxiliary  variables. 
To  efficiently  eliminate  the  quantifiers,  we  also  proposed  a 
technique  called  Model  Based  Projection  (MBP)  that  obtains 
under-approximations  of  the  quantified  formulas.  This  was 
quite  effective  in  practice  for  Linear  Arithmetic. 

In  this  paper,  we  extend  the  above  compositional  framework 
to  ARR,  by  developing  an  MBP  procedure  for  ARR.  We  first 
show  that,  given  a  quantified  formula  3 a  ■  ip(a,x),  where 
a  is  an  array  variable  and  tp  is  quantifier-free,  there  exists 
an  equivalent  formula  3 i,v  ■  t/j(i,v,x),  where  i  and  v  are 
variables  of  the  index-sort  and  the  value-sort  of  a,  respectively 
(Sec.  IV-A).  We  will  then  show  how  to  adapt  this  quantifier 
elimination  procedure  to  obtain  an  MBP  procedure  that  ef¬ 
ficiently  under-approximates  existentially  quantified  formulas 
over  ARR  (Sec.  IV-B). 

We  describe  how  the  MBP  procedure  for  ARR  is  integrated 
with  MBP  procedures  for  Linear  Arithmetic  and  with  the  rest 
of  the  framework  to  obtain  a  new  compositional  algorithm 
(Sec.  V).  In  order  to  obtain  over-approximations  of  procedure 
behaviors,  the  framework  also  utilizes  Craig  Interpolation  []. 
Using  MBP  to  efficiently  eliminate  auxiliary  variables  results 
in  a  straightforward  interpolation  procedure  for  ARR  that 
infers  the  weakest  interpolants.  However,  it  is  interesting  to 
explore  other  interpolation  procedures  which  can  help  expand 
the  class  of  programs  that  can  be  handled  by  our  approach. 

While  we  target  C  programs  for  verification,  our  algorithm 
and  implementation  are  at  the  level  of  Constrained  Horn 
Clause  (CHC)  fragment  of  First  Order  Logic  (FOL)  which 
is  used  to  encode  the  verification  conditions.  This  makes 
the  framework  very  flexible  and  directly  applicable  to  other 


problems  that  are  reducible  to  CHC  [12], 

The  algorithm  we  propose  is  implemented  in  our  tool 
Spacer  []  using  SeaHorn  []  to  encode  the  C  programs 
logically  into  the  HornSMT  format  of  CHCs.  Using  SPACER, 
we  evaluate  the  algorithm  experimentally  using  SV-COMP 
2015  benchmarks  (Sec.  VI). 

II.  Preliminaries 

We  consider  a  first-order  language  with  equality  whose 
signature  S  contains  basic  sorts  (e.g.,  bool  of  Booleans,  int 
of  integers,  etc.)  and  array  sorts.  An  array  sort  arr (I,V)  is 
parameterized  by  a  sort  of  indices  I  and  a  sort  of  values  V. 
We  assume  that  I  is  always  a  basic  sort.  For  every  array  sort 
arr (/,  V),  the  language  has  the  usual  function  symbols  rd  : 
arr (I,V)xI  — >  V  and  wr  :  arr (I,V)xIxV  — >  arr(7,  V) 
for  reading  from  and  writing  to  the  array.  Intuitively,  rd(a,i) 
denotes  the  value  stored  in  the  array  a  at  the  index  i  and 
w r(a,i,v)  denotes  the  array  obtained  from  a  by  replacing 
the  value  at  the  index  i  by  v.  We  use  an  axiomatization 
of  these  function  symbols  using  the  extensional  theory  of 
arrays  (ARR).  In  particular,  we  have  the  following  two  axiom 
schema: 

Read-after-write 

Va  :  arr(J,  V )  Vi,  j  :  I  \/v  :  V 

(i  =  j  =>  rd(wr(a,  i,  v),j)  =  v)  A 
(*  7 =>  rd(wr(a,i,v),j)  =  rd(a,j)) 

Extensionality 

Va,  b  :  arr  (J,  V)  ■  (Vi  :  I  ■  rd(a,  i)  =  rd(b,  i))  =>  a  =  b 

Intuitively,  the  first  schema  says  that  after  modifying  an 
array  a  at  index  i,  a  read  results  in  the  new  value  at  index  i 
and  rd(a,j)  at  every  other  index  j.  The  second  schema  says 
that  if  two  arrays  agree  on  the  values  at  every  index  location, 
the  arrays  are  equal.  Let  i  :  /  and  v  :  V  be  vectors  of  index 
and  value  terms  of  the  same  length  m.  We  write  wr(a,  i,  v)  to 
denote  wr(wr(. . .  wr(a,i(0),v(0)) . .  where 

i(k)  denotes  the  fcth  element  of  i.  For  an  index  term  j  :  J, 
we  write  j  £  i  to  denote  VfcLiC?  =  i(fc)).  Unless  specified 
otherwise,  S  contains  no  other  function  symbols. 

For  arrays  a  and  b  of  sort  arr(J,  V),  and  a  (possibly 
empty)  vector  of  index  terms  i,  we  write  a  =j  b  to  denote 
Vj  :  I-{j  &  i  =>•  rd(a,j)  =  rd(b,j ))  and  call  such  formulas 
partial  equalities  [18].  Using  extensionality,  one  can  easily 
show  the  following 


rO 

Si 

II 

a  =  b 

(1) 

(j  £  i  A  a  —j  b)  V 

wr(a,j,v)  =jb  = 

/  _  \ 

(2) 

{j  i  A  a  =-id  b  A  rd(b,j)  =  vj 

a=jb  = 

3 v  :  V  ■  a  =  wr(b ,  i,  v) 

(3) 

Let  p  be  a  formula  with  free  variables  x  (in  some  fixed 
order).  We  sometimes  write  it  as  p(x).  We  write  p[t\  to  denote 
that  a  term  or  an  atom  t  appears  in  p.  We  assume  the  usual 
definition  of  satisfiability  modulo  theories  (SMT). 


Safety  of  procedural  programs  can  be  reduced  to  SMT  of  a 
set  of  a  special  kind  of  formulas  known  as  Constrained  Horn 
Clauses  (CHCs)  [6],  [16],  [12].  A  Constrained  Horn  Clause 
(CHC)  is  a  formula  of  the  form 

m 

Vx  •  yy  Pk{xk)  A  pix)  =>•  head 
k=  1 

s - V - ' 

body 

where  l\’s  are  predicate  symbols  not  present  in  A,  x*.  C  x 
and  |xfc|  is  equal  to  the  arity  of  P for  every  k,  ip  is  a 
formula  over  S,  and  head  is  either  an  application  of  a  fresh 
predicate  symbol  or  another  formula  over  S.  In  this  work, 
we  are  interested  in  quantifier-free,  first-order  interpretations 
of  the  Pfc’s  that  satisfy  the  given  set  of  CHCs.  We  use  body 
to  refer  to  the  antecedent  of  the  CHC,  as  shown  above.  A 
CHC  is  called  a  query  if  head  is  a  formula  over  S  and 
otherwise,  it  is  called  a  rule.  If  rn  <  1  in  the  body,  the  CHC  is 
linear  and  is  non-linear  otherwise.  Following  the  convention 
of  logic  programming  literature,  we  represent  the  above  CHC 
as  head  <-  Pi(xi), . . . ,  Pm(xm),  <p(x). 

Intuitively,  the  body  of  each  procedure  can  be  encoded  as 
a  rule  CHC,  where  the  fresh  predicate  symbols  denote  over- 
approximating  summaries  of  procedures.  Safety  assertions  can 
be  encoded  as  query  CHCs.  Any  given  set  of  CHCs  can 
be  transformed  to  an  equisatisfiable  set  of  three  CHCs  with 
a  single  predicate  symbol  of  the  following  canonical  form 
(assuming  that  S  has  a  sort  with  at  least  two  elements,  e.g., 
bool;  see  Appendix  for  details). 

Inv(x)  <—  init(x )  ~<bad(x)  <—  Inv(x) 

Inv(x')  <r-  Inv(x),  Inv(x°),  tr(x,  x°,  x') 

Intuitively,  Inv  denotes  an  inductive  invariant,  x  denotes 
the  state-variables,  x'  denotes  their  next-state  values,  and  x° 
denotes  the  potential  parameters  of  a  procedure  call.  Note  that, 
if  tr  is  independent  of  x°,  Inv(x°)  can  be  effectively  dropped 
from  the  last  CHC  and  Inv  denotes  an  inductive  invariant  of 
a  traditional  transistion  system.  For  a  formula  <p(x),  we  write 
p'  and  ip°  to  denote  p\x' /x]  and  <^[x°/x],  respectively. 

In  the  sequel,  we  restrict  to  this  canonical  form 
and  assume  that  init,  tr,  and  bad  are  quantifier- 
free.  We  define  a  state  transformer  P(<pa{x),  Pb(x))  as 
(iPa(x)  A  ips{x°)  A  £r(x,  x°,x'))  V  init(x')  and  abuse  the 
notation  to  write  Piyp. \)  for  IF (p a,  Pa)- 

Consider  an  existentially  quantified  formula  pipy)  =  3x  • 
<Pm(x,y)  where  pm  is  quantifier-free.  A  function  Projv  from 
models  of  prn  to  quantifier-free  formulas  over  y  is  called  a 
Model  Based  Projection  (MBP)  [16]  iff  (a)  Pro)  has  a  finite 
image,  (b)  p  =  VM^m  Proj^(M),  and  (c)  for  every  M  \= 
pm,  it  also  holds  that  M  f=  Projlp(M).  In  an  earlier  work,  we 
developed  efficient  MBP  functions  for  the  theories  of  Linear 
Real  Arithmetic  and  Linear  Integer  Arithmetic  [16]. 

Given  formulas  pa(x,z)  and  pB(jy,z)  with  xHy  =  0  and 
Pa  ==>  pb ,  a  Craig  Interpolant  [8],  denoted  \tp(pa,Pb), 
is  a  formula  pi(z)  such  that  pa  =>  Pi  and  pj  =>  ps- 


III.  The  Compositional  Verification  Framework 

Our  approach  for  checking  satisfiability  of  the  CHCs  in  (4) 
is  based  on  the  SPACER  framework  for  SMT-based  model 
checking  [16].  Compared  to  other  SMT-based  algorithms 
(e.g.,  [4],  [11],  [14],  [17]),  the  key  distinguishing  feature 
of  Spacer  is  compositional  reasoning.  That  is,  instead  of 
checking  satisfiability  of  monolithic  SMT  formulas  for  various 
program  unwindings,  SPACER  iteratively  creates  and  checks 
local  reachability  queries  for  individual  procedures.  At  a  high 
level,  such  a  local  reasoning  is  similar  to  IC3  [7],  [10],  a  SAT- 
based  algorithm  for  safety  of  finite-state  transition  systems, 
and  GPDR  [10],  its  extension  to  Linear  Real  Arithmetic. 
Similar  to  existing  SMT-based  algorithms,  including  IC3  and 
GPDR,  SPACER  maintains  a  sequence  of  over-approximations 
of  procedure  behaviors,  called  may  summaries ,  correspond¬ 
ing  to  various  program  unwindings.  However,  unlike  other 
approaches,  SPACER  also  maintains  under-approximations  of 
procedure  behaviors,  called  must  summaries,  to  avoid  redun¬ 
dant  reachability  queries.  Another  distinguishing  feature  of 
Spacer  is  the  use  of  MBP  for  efficiently  handling  existentially 
quantified  formulas  to  create  a  new  query  or  a  must  summary. 
Alg.  1  gives  a  simplified  description  of  SPACER  in  the  context 
of  the  CHCs  in  (4)  using  a  set  of  rules  that  can  be  applied 
non-deterministically.  We  will  briefly  describe  the  rules  below 
and  then  mention  some  implementation  aspects. 

Input:  Formulas  init(x),tr(x,x°,x'),bad(x ) 

Output:  Inductive  invariant  (FO  interpretation  of  Inv 
satisfying  (4))  or  UNSAFE 

if  ( init  A  bad)  satisfiable  then  return  UNSAFE 
//  initialize  data  structures 

Q  :=  0  //  set  of  pairs  (p,  i),  i  £  N 

N  :=  0  //  max  level,  or  recursion  depth 

O o  =  init ,  Oi  =  T,  \/i  >  0  //  may  summary  sequence 

U  =  init  //  must  summary 

forever  non-deterministically  do 

(Candidate)  [  (On  A  bad)  satisfiable  ] 

Q  :=  Q  U  (ip,  TV),  for  some  ip  =>  On  A  bad 
(DecideMust)  [  (p,i+l)  G  Q,  M  |=  T(Ou  U)  A  p’  ] 

Q  :=  Q  U  (Mbp(3x°,£'  •  T(OuU)  A  p’,M),i) 
(DecideMay)  [  (p,  i  +  1)  G  Q,  M  |=  F(Oi)  A  p'  ] 

Q  :=  Q  U  (Mbp(32;,  x'  ■  T(Oi)  A  p' ,  M)[x/x°],  i) 
(Leaf)  [  (p,i)  e  Q,  J’(Oi-i)  =>  V>  *  <  N  ] 

Q  :=  Q  U  (p,i  +  1) 

(Successor)  [  (p,  i  +  1)  £  Q,  M  |=  Tiff)  A  p'  ] 
U--UM  Mbp(35T,  x°  ■  T(U)  A  p’,  M)[x/x'} 
(Conflict)  [  (p,i  +  1)  €  Q,  T(Of)  =>  V  ] 

0:  :=  Oj  A  lTP(Jr(Oi),  ^p')[x/x'],  Vj  <  i  +  1 
(Induction)  [  (p  V  ip)  £  Oi,  T(p  A  Oi)  =>  p'  ] 

Oj  :=  Oj  A  p,  Vj  <  i  +  1 
(Unfold)  [On  = ^  ~^bad  ]  N  :=  N  +  1 
(Safe)  [  Oi+1  ==>  Oi  ]  return  invariant  O, 

(Unsafe)  [  (U  A  bad)  satisfiable  ]  return  UNSAFE 
Algorithm  1:  Rule-based  description  of  SPACER. 


As  shown  in  Alg.  1,  SPACER  maintains  a  set  of  reachability 
queries  Q,  a  sequence  of  may  summaries  {C7,}jeN,  and  a 
must  summary  U.  Intuitively,  a  query  (p,  i )  corresponds  to 
checking  if  p  is  reachable  for  recursion  depth  i,  Oi  over¬ 
approximates  the  reachable  states  for  recursion  depth  i,  and  U 
under-approximates  the  reachable  states.  N  denotes  the  current 
bound  recursion  depth.  The  sequence  of  may  summaries  and 
N  correspond  to  the  trace  of  approximations  and  the  maximum 
level  in  IC3/PDR,  resepectively.  For  convenience,  let  O  _  | 
be  _L.  Mbp(</>,  M),  for  a  formula  p  =  3v  ■  pm  and  model 
M  \=  pm,  denotes  the  result  of  some  MBP  function  associated 
with  p  for  the  model  M. 

Alg.  1  initializes  N  to  0  and,  Oq  and  U  to  init.  Then, 
it  iteratively  applies  one  of  the  rules  in  the  forever  loop, 
chosen  non-deterministically.  Each  rule  is  presented  as  a 
guarded  command  “[  grd  ]  cmd ”,  where  and  can  be  executed 
only  if  grd  holds.  Candidate  initiates  a  backward  search 
for  a  counterexample  beginning  with  a  set  of  states  in  bad. 
The  potential  counterexample  is  expanded  using  either  De¬ 
cideMust  or  DecideMay.  DecideMust  jumps  over  the  call 
Inv(x°),  in  the  last  CHC  of  (4),  utilizing  the  must  summary 
U.  DecideMay,  on  the  other  hand,  creates  a  query  for  the 
call  using  the  may  summary  of  its  calling  context.  Leaf 
moves  an  unreachable  query  to  a  higher  recursion  depth. 
Successor  updates  U  when  a  query  is  known  to  be  reachable. 
Conflict  updates  may  summaries  when  a  query  is  known  to 
be  unreachable.  Induction  strengthens  may  summaries  using 
induction  relative  to  Oi.  Unfold  increments  the  bound  on 
the  recursion  depth.  Safe  returns  Oi  as  invariant  when  the 
sequence  of  may  summaries  converges.  Unsafe  applies  when 
the  must  summary  intersects  with  bad. 

One  can  show  that  init  =>  Oq  and  for  a  fixed  N  and 
every  0  <  i  <  N,  T(Ot- 1)  =>  0%,  Oi- 1  =>  Oj,  and 
Oj  =>  -i bad .  Moreover,  IF1  (init)  ==>  Oj  for  all  i,  and 
U  ==>  J-N (init).  Thus,  {C7i}jSN  and  U,  respectively,  over- 
and  under-approximate  reachable  states  and  SPACER  is  sound. 

In  the  description  above,  we  left  out  many  implementation 
details  and  we  mention  a  few  of  them  here.  For  efficiency,  we 
restrict  queries  to  cubes.  For  Linear  Arithmetic,  we  use  Mbp 
functions  that  are  linear  in  time  and  space.  Q  is  maintained  as  a 
priority  queue,  processing  queries  of  smaller  recursion  depths 
first.  Additional  constraints  are  imposed  on  the  rules  and  their 
ordering  to  ensure  termination  for  a  fixed  N  [16].  For  the  rule 
Unsafe,  our  implementation  also  produces  a  counterexample 
in  addition  to  returning  UNSAFE. 

A  key  ingredient  in  extending  this  framework  to  arrays  is 
an  efficient  MBP  function  for  ARR.  This  is  the  subject  of  the 
rest  of  the  paper. 

IV.  QE  AND  MBP  FOR  THE  THEORY  ARR 

Consider  an  existentially  quantified  formula  3a  : 
arr (I,  V)  ■  p  where  p  is  quantifier-free.  We  first  present  an 
exponential  time  algorithm  for  QE,  i.e.,  to  obtain  an  equivalent 
formula  that  does  not  contain  the  array  quantifier.  Then,  we 
present  a  polynomial  time  algorithm  for  MBP  given  a  model 
M  |=  p.  Initially,  we  restrict  the  interpretations  of  I,  the 


3a  •  (a  =7  t  A  p) 

ElimEq  — - - — /  _  _ 

3v  ■  ( p[wr(t ,  i ,  r))/a] 

where  a  does  not  appear  in  t  and  v  denotes  fresh  variables 

3a  -  ip  A  /\  -(a  =jfc  tk)  I 

T-  V  fc=l  / 

ElimDiseq - 

3a  •  p 

where  m  £  N,  a  does  not  appear  in  any  tk,  and 
a  appears  in  p  only  in  read  terms  over  a 

3a  ■  \p  A  f\sk  =  rd(a,tk) 

A  \  fc=l  / 

Ackermann - - - 

P  A  /\  {tk=ti  =>  Sfc  =  Sf ) 

where  meN  and  a  does  not  appear  in  p,  sk’ s,  or  i^’s 
Fig.  3:  Rewriting  rules  for  QE  of  arrays. 

index  sort,  to  infinite  domains.  Handling  finite  index  domains 
requires  a  slight  adaptation  of  the  algorithms  as  described  at 
the  end  of  the  section. 

ArrayQE(3o  •  p) 

1  p\  (ELIMWR*)(3a  •  p) 

2  ifi2  <-  (CaseSplitEq*  ;  FACTORRD*)(y)i) 

3  (VLi  <5fc)  <-  LiftEqDiseqRd(</52) 

4  for  fc  G  [1,  n]  do 

5  |_  fik  (ELIMEQ;  ELIMDISEQ;  ACKERMANN)  (<5/Q 

6  |_  return  V£=i  i>k 

Algorithm  2:  QE  for  3a  •  p,  where  a  is  an  array  variable. 

A.  Quantifier  Elimination 

The  goal  of  QE  is  to  obtain  an  equivalent  formula  3u  : 
V  ■  ip  where  ip  is  quantifier-free.  Our  algorithm  is  inspired 
by  the  decision  procedure  for  the  quantifier-free  fragment  of 
ARR  by  Stump  et  al.  [18].  At  a  high  level,  the  QE  algorithm 
proceeds  in  3  steps:  (i)  eliminate  write  terms  using  the  read- 
after-write  axiom  scheme  and  partial  equalities  over  arrays,  (ii) 
eliminate  (partial)  equalities  and  disequalities  over  arrays,  and 
(iii)  eliminate  read  terms  over  arrays.  Alg.  2  shows  the  pseudo¬ 
code  for  our  QE  algorithm  ArrayQE  using  the  rewrite  rules 
in  Fig.  1,  2,  and  3  for  equivalent  transformations.  We  write 
R(p)  to  denote  the  result  of  application  of  R.  We  combine 
rules  using  the  standard  notation  for  regular  expressions  where 
R*  denotes  the  exhaustive  iterative  application  of  Ii. 

Line  1  of  ArrayQE  eliminates  write  terms  using  the 
rewrite  rules  in  Fig.  1.  Here  ElimWr  denotes  a  rule  in  Fig.  1 
chosen  non-deterministically.  ElimWrRd  rewrites  terms  us¬ 
ing  the  read-after- write  axiom  and  ElimWrEq  rewrites  partial 
equalities  using  Eq.  (2).  PartialEq  converts  equalities  into 
partial  equalities  using  Eq.  (1).  TrivEq  eliminates  trivial 


partial  equalities  with  identical  arguments  and  Symm  ensures 
that  write  terms  on  the  r.h.s.  of  equalities  are  also  eliminated. 

Line  2  of  ArrayQE  rewrites  the  formula  by  case-splitting 
on  partial  equalities  on  the  array  quantifier  a  (via  CASES  - 
PLITEq)  followed  by  factoring  out  read  terms  over  a  by 
introducing  new  quantifiers  of  sort  V  (via  FactorRd).  Note 
that,  as  presented,  these  two  rules  can  be  applied  indefinitely 
as  the  partial  equalities  and  read  terms  are  preserved  in  the 
conclusion  of  the  rules.  However,  one  can  easily  ensure  that  a 
given  partial  equality  or  read  term  is  considered  exactly  once 
by  apriori  computing  the  set  of  all  partial  equalities  and  read 
terms  in  the  formula  and  processing  them  in  a  sequential  order. 
The  details  are  straightforward  and  are  left  to  the  reader. 

LiftEqDiseqRd  on  line  3  of  ArrayQE  performs 
Boolean  rewriting  and  returns  an  equivalent  disjunction  such 
that  in  every  disjunct,  the  partial  equalities,  array  disequalities, 
and  equalities  over  read  terms  appear  at  the  beginning  as 
conjuncts,  in  that  order.  In  practice,  CaseSplitEq  can  be  im¬ 
plemented  efficiently  using  an  N- way  case  analysis  for  a  total 
number  of  N  partial  equalities  in  the  formula  and  this  Boolean 
rewriting  can  be  avoided.  For  each  disjunct,  line  5  applies  the 
rules  in  Fig.  3  to  eliminate  the  array  quantifier  a.  ElimEq 
obtains  a  substitution  term  for  a  using  the  equivalence  in 
Eq.  (3).  ElimDiseq  is  applicable  when  the  disjunct  contains 
no  partial  equalities  and  given  that  the  domain  of  interpretation 
of  I  is  infinite,  one  can  always  satisfy  the  disequalities  and 
hence,  they  can  simply  be  dropped.  Ackermann  performs 
the  Ackermann  reduction  [2]  to  eliminate  the  read  terms. 

Note  that  while  the  rewrite  rules  are  applicable  to  all  array 
terms  and  equalities  in  the  original  formula,  in  practice,  we 
only  need  to  apply  them  to  eliminate  the  relevant  terms 
containing  the  array  quantifier  a.  See  Fig.  4  for  an  illustration 
of  ArrayQE  on  an  example. 

Correctness  and  Complexity.  We  can  show  the  following 
properties  of  ArrayQE. 

Theorem  1:  ArrayQE(3o  :  arr(J,  V )  •  p)  returns  3v  : 
V  ■  p,  where  p  is  quantifier-free  and  3v  ■  p  =  3a  ■  p. 

Proof:  ( Sketch )  One  can  easily  show  that  the  rules  in 
Fig.  1,  2,  and  3  are  equivalence  preserving.  The  theorem 
follows  immediately.  ■ 

Theorem  2:  ArrayQE(3o  •  ip)  terminates  in  time  expo¬ 
nential  in  the  size  of  p. 

Proof:  ( Sketch )  Line  1  of  ArrayQE  essentially  elim¬ 
inates  write  terms  one  by  one  and  can  be  easily  shown  to 
terminate.  Line  2  can  be  easily  made  to  terminate  by  iterating 
over  all  partial  equality  and  read  terms.  The  remaining  steps 
of  the  algorithm  clearly  terminate  as  well. 

The  complexity  analysis  is  similar  to  the  decision  procedure 
by  Stump  et  al.  [18].  Let  N  be  the  size  of  p.  The  number 
of  disjuncts  generated  by  any  rewrite  rule  is  bounded  by  N 
(due  to  the  disjunction  j  £  i  on  indices  in  ElimWrEq). 
Disjunctions  can  be  generated  by  the  rules  for  every  write 
term  or  partial  equality  and  their  number  is  bounded  by  N. 
So,  the  total  number  of  disjunctions  generated  by  the  algorithm 
is  bounded  by  0(NN)  which  is  exponential  in  N.  The  size 
of  a  disjunct  generated  by  a  rule  can  be  shown  to  be  bounded 


_ <p[rd(wr(t,i,v),j)] _ 

{i  =  3  A  <p[v])  V  (i  ^  j  A  j)]) 


ElimWrEq 


_ =jt2] _ 

O’  e  *  A  <^[ii  =j  i2])  V 
(i  £  *  A  v>[ti  =—  t2Av  =  rd{t2,j)]j 


<f\t\  =  t2]  ip[t  =7  t] 

PartialEq  — - -  ti  s  have  array  sort  TrivEq  - - — - — 

W 1  =0  h]  <^[T] 


Symm 


f\ti_ 

ip[t2 


*i] 


f2  is  a  write  term 
but  £i  is  not 


ElimWr  =  (ElimWrRd  |  ElimWrEq  |  PartialEq  |  TrivEq  |  Symm) 

Fig.  1:  Rewriting  rules  to  eliminate  write  terms.  ElimWr  denotes  one  of  the  rules  chosen  non-deterministically. 


CaseSplitEq  — — 

3a  •  ((a 


3a  •  ip[a  =j  t] 
t  A  </j[T])  V  (-i(a 


*)  A  ¥>[_L])) 


FactorRd 


_ 3a  •  ip\rd(a ,  t)] _  s  js  fres}lj  t  does  not 

3a,  s  ■  (<p[s]  A  S  =  rd(a,  t))  contain  array  terms 


Fig.  2:  Rewriting  rules  to  factor  out  equalities  and  read  terms  on  the  quantified  array  variable. 


by  a  polynomial  in  N.  CaseSplitEq  can  be  efficiently 
implemented  using  an  N- way  case  analysis  over  all  equalities 
avoiding  a  Boolean  rewriting  on  line  3  of  the  algorithm.  Thus, 
the  complexity  of  ArrayQE  is  exponential  in  N.  ■ 


ProjWrRd 


tp[rd(wr(t,i,v),j)\  M  \=  ip 
\i  =  j  A  ip[v]  M  \=i=j 

\  i  ^  j  A  ip[rd(t,j)]  otherwise 


B.  Model  Based  Projection 

If  a  model  M  |=  ip  is  given,  one  can  obtain  an  MBP  by 
simply  projecting  the  result  of  each  rule  application  to  the 
disjunct  satisfied  by  M.  Fig.  5  shows  the  modified  rules  cor¬ 
responding  to  ElimWrRd,  ElimWrEq,  and  CaseSplitEq 
and  Fig.  6  shows  the  modified  rule  for  Ackermann.  Alg.  3 
shows  the  pseudo-code  for  our  MBP  algorithm  ArrayMBP. 
Fig.  7  illustrates  ArrayMBP  on  the  same  example  as  in 
Fig.  4  for  a  specific  choice  of  M  as  shown  in  the  side- 
conditions. 


ProiWrEq 


ip[wr(ti,j,  v)  =j  t2\  M  \=  ip 


(j  =  iA  (p[ti  =j  t2] 

<  j  &i  A  ip[t i  =7iJ  t2  A 

[  v  =  rd(t2,j)] 


M  \=  j  =  i,i  £  i 
M  \=j  gi 


ProjCaseEq 


3a  •  (p[a  =jt\  M  \=  <p 
3a  •  (a  =j  t  A  <p[T])  M  \=  a  =jt 
3a  •  (-i(a  =j  t)  A  y>[_L])  otherwise 


ArrayMBP(3<2  •  ip,  M) 
t  f—  (PROiWR*)(3a  ■  ip,  M) 

2  ip2  f-  (ProjSplitEq*  ;  FactorRd* )(ipi,  M) 

3  (VLi  sk)  <-  LiftEqDiseqRd(v52) 

4  for  k  £  [1,  n]  do 

5  [_  <-  (ELIMEQ;ELIMDlSEQ;PROlACK)(4,M) 

6  |_  return  \f^=1  ipk 

Algorithm  3:  MBP  for  3a  •  y>,  where  a  is  an  array  variable, 

and  M  \=  ip. 

Correctness  and  Complexity.  The  size  of  a  disjunct  gen¬ 
erated  by  a  rule  of  ArrayMBP  can  be  shown  to  be  bound 
by  a  polynomial  in  the  size  of  ip.  The  following  is  immediate. 

Theorem  3:  ArrayMBP(3o  :  arr(7,  V)  -tp,  •)  is  an  MBP 
and  terminates  in  time  polynomial  in  the  size  of  c p. 

C.  Handling  finite  index  domains 

When  finite  interpretations  of  I  are  allowed,  ElimDiseq  is 
no  longer  an  equivalent  transformation  as  there  may  not  exist 
an  index  where  the  arrays  in  the  disequalities  disagree  on  the 


ProjWr  =  (ProjWrRd  j  ProiWrEq  |  PartialEq  |  TrivEq  | 
Symm) 

Fig.  5:  MBP  rules  for  write  terms  and  equalities.  ProjWr  is  the  MBP  version 
of  ElimWr  in  Fig.  1. 

values.  However,  one  can  use  extensionality  to  obtain  another 
equivalent  transformation  rule  ElimDiseqFinite,  as  shown 
in  Fig.  8.  As  this  rule  introduces  new  read  terms  over  a,  we 
need  to  apply  FactorRd  once  again  before  Ackermann  or 
ProjAck.  Also,  note  that  the  result  of  QE  and  MBP  is  now 
of  the  form  3 i  :  I,v  :  V  ■  ip. 

V.  CHCs  over  Arrays,  Integers,  and  Booleans 

In  the  rest  of  the  paper,  we  restrict  ourselves  to  the  basic 
sorts  of  bool  and  int,  in  addition  to  array  sorts.  Furthermore, 
we  only  consider  linear  functions  over  int,  axiomatized  using 
Presburger  Arithmetic  (Linear  Integer  Arithmetic  (LIA))  along 


{ElimWrRd} 


3a  •  (b  =  wr(a,  £i,  v\ )  V  (rd(wr(a,  £2,  v2),  £3)  >  5  A  rd(a,  £4)  >  0)) 

(£2  =  £3  A  (6  =  wr(a,  ii,vi)  V  (v2  >  5  A  rd(a,  £4)  >  0)))  V 
(£2  7^  £3  A  (6  =  uir(a,  ii,Vi)  V  ( rd(a ,  £3)  >  5  A  rd(a ,  14)  >  0))) 

(£2  =  *3  A  ((a  =i:1  b  A  rd(b,  £1)  =  «i )  V  (r>2  >  5  A  rd(a,  £4)  >  0)))  V 

(£2  ^  *3  A  ((a  =4l  b  A  rd(b,  £1)  =  i>i)  V  (rd(a,  *3)  >  5  A  rd(a,  £4)  >  0))) 

(£2  =  *3  A  (r<£(6,  £1)  =  Vi  V  (1J2  >  5  A  rd(a,  £4)  >  0)))  V 

(£2  7^  £3  A  (n£(b,  ii)  =  Vi  V  (rd(a,  *3)  >  5  A  rd(a,  £4)  >  0))) 

(£2  =  £3  A  (v2  >  5  A  rd(a,  £4)  >  0))  V 
(£ 2  ^  £3  A  (rd(a,  13)  >  5  A  rd(a,  i4)  >  0)) 

/  \ 

(£2  =  *3  A  (rd(6,  ii)  =  Di  V  (»2  >  5  A  s4  >  0)))  V 


=  3a- 


=  3a- 


=  3a- 
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(a  =4l  b)  A 


a  =<t  b  A 


(£2  ^  £3  A  (rd(6,  ii)  =  »i  V  (s3  >  5  A  s4  >  0))) 
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-'(a  =ix  6)  A 


(£2  =  *3  A  («2  >  5  A  s4  >  0))  V 
(£2  *3  A  (s3  >  5  A  s4  >  0)) 


V 
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A  S3  =  rd(a,  £3)  A  s4  =  rd(a,  £4) 

(a  b  A  s3  =  rd(a,  i3)  A  s4  =  rd(a,  £4)  A  y>i)  V 
(-i(a  =i4  b)  A  s3  =  rd(a,  £3)  A  s4  =  rd(a,  £4)  A  992) 

(s3  =  rd(a,i3)  A  s4  =  rd(a,£4)  A  v?i)  [ior(b,  ii,  u)/a]  V 

3a,  S3,  s4  •  (S3  =  rri(a,  £3)  A  s4  =  rd(a,  £4)  A  ^2) 

3-a,  S3,  s4  •  (s3  =  rd(a,  *3)  A  s4  =  rd(a,  £4)  A  ipi)  [w(b,  £1,  w)/a]  V 

3s3,  s4  ■  ((£3  =  *4  ==>  s3  =  s4)Av32) 


3a,  S3,  s4 
3v,  s3,  s4 


{PARTIALEQ;  ELIMWREQ} 

{CaseSplitEq} 


{FactorRd} 


{LiftEqDiseqRd} 

{ElimEq} 

{ElimDiseq} 

{Ackermann} 


Fig.  4:  Illustrating  ArrayQE  on  an  example. 


3a  ■  ^  A  /\  sk  =  rd(a,tk)j 

m 

M  \=tp  A  f\  sk  =  rd{a,tk ) 


ProjAck 


k= 1 


A 

tk  =  te  A  Sfc  =  M  \=  tk  =  tg 


A 


^  ^ 


otherwise 


1  <fc<r<m 

where  meff  and  a  does  not  appear  in  tp,  s^’s,  or  £fc’s 
Fig.  6:  MBP  rule  for  ElimRd  in  Fig.  3. 


ElimDiseqFinite 


3a  ■  (->(a  =?  f)  A  p) 


3a,  j-  (rd{a,j)  ±  rd{t,j)hj  giAp) 

where  a  does  not  appear  in  t 
Fig.  8:  Modified  version  of  ElimDiseq  for  finite  domains. 


with  a  divisibility  predicate.  Extending  the  compositional 
framework  of  SPACER  to  this  setting  requires  us  to  come  up 
with  relevant  procedures  for  Mbp  and  Itp.  Conflict  is  the  only 
rule  in  Alg.  1  that  uses  Itp  and  -up'  is  an  easy  candidate  for 


lTP(Jr(C)i),  — iv?/) -  Alternatively,  one  can  use  heuristics  such  as 
generalization  using  unsatisfiable  cores  or  other  theory-specific 
interpolation  procedures. 

We  developed  MBP  functions  for  Booleans  and  LIA  in  a 
previous  work  [16].  For  ARR,  we  described  an  MBP  function 
in  the  previous  section.  When  the  index  sort  /  is  int,  one 
can  obtain  a  modified  ProjAck  for  eliminating  array  read 
terms  by  utilizing  the  predicate  symbol  <  and  the  given 
model  M  to  linearly  order  the  index  terms  tk  s.  This  can  be 
achieved  by  partitioning  the  set  of  index  terms  tk’ s  according 
to  their  interpretations  in  M,  choosing  a  representative  for  each 
equivalence  class,  ensuring  that  tk  is  always  a  representative 
in  the  equality  tk  =  tg  in  the  rule,  and  linearly  ordering  the 
representatives  of  the  various  equivalence  classes  according  to 
M.  The  resulting  MBP  function  is  linear  in  time  and  space 
and  is  more  efficient  (at  the  price  of  an  enlarged  image  set). 

However,  the  combination  of  arrays  and  integers  introduces 
terms  over  the  combined  signature  which  need  to  be  handled 
as  well.  For  example,  there  is  no  equivalent  quantifier-free 
formula  for  3£  :  int  •  rd(a,i)  >  0.  This  implies  that  there 
does  not  exist  an  MBP  for  the  combination  of  LIA  and 
ARR.  In  the  example,  the  only  way  to  under-approximate 
the  quantification  is  to  substitute  £  with  its  interpretation  in  a 
model  M  \=  rd(a,  i)  >  0.  Unfortunately,  SPACER  is  no  longer 
guaranteed  to  terminate  even  for  a  fixed  bound  on  the  recursion 


{ProjWrRd,  M  \=  i2  =£  13} 
{PARTIALEQ;  PROJWrEq} 
{ProjCaseEq,  M  a  =,,  6} 
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{FactorRd} 


{LiftEqDiseqRd} 
{ElimDiseq} 
{ProjAck,  M  \=  i3  =  i4} 


Fig.  7:  Illustrating  ArrayMBP  on  the  example  of  Fig.  4  with  a  given  model  M. 


depth  N.  Note  that  MBP  is  used  in  3  rules:  DecideMay, 
DecideMust,  and  Successor.  The  elimination  of  quantifiers 
in  Successor  is  only  an  optimization  and  can  be  avoided. 
This  is  not  the  case  with  DecideMay  or  DecideMust  without 
changing  the  structure  of  the  queries,  the  considerations  of 
which  are  outside  the  scope  of  this  paper.  In  the  following, 
we  identify  restrictions  on  the  CHCs  where  termination  is  still 
guaranteed  and  for  the  other  cases,  we  propose  some  heuristics 
to  avoid  non-termination. 

There  are  several  cases  where  terms  over  combined  sig¬ 
natures  appear  in  conjunction  with  equality  terms  over  the 
index  quantifier,  e.g.,  3i  :  int  •  i  =  t  A  rd(a,i)  >  0  for  a 
term  t  independent  of  i.  In  these  cases,  the  quantifier  can  be 
eliminated  using  equality  resolution,  e.g.,  rd{a,t)  >  0  in  the 
above  example.  Such  cases  seem  to  be  natural  in  the  case  of 
a  single  procedure,  i.e.,  when  tr  in  (4)  is  independent  of  x°. 
Consider  a  disjunct  S  in  a  DNF  representation  of  tr.  Now,  <5 
represents  a  path  in  the  procedure  and  typically,  index  terms 
(in  reads  and  writes)  in  S  can  be  ordered  such  that  every  index 
term  is  a  function  of  the  previous  index  terms  or  the  current- 
state  variables  x.  This  makes  it  possible  to  eliminate  any  index 
variables  in  x'  using  equality  resolution  as  mentioned  above. 

In  general,  non-termination  cannot  be  avoided  as  shown  by 
the  following  set  of  CHCs. 

Inv(a1  b)  4—  a  =  b 

_L  t—  Inv(a,  b),  rd(a,j)  <  0,  rd(b,j)  >  0 

Here,  intuitively,  Inv(a,b)  denotes  the  summary  of  a  pro¬ 
cedure  which  takes  a  as  input  and  produces  b  as  output  and 
we  are  interested  in  checking  if  there  is  sign  change  in  the 
value  at  an  index  j  as  a  result  of  the  procedure  call.  For  this 
example,  DecideMay  creates  queries  of  the  form  rd(a,k)  < 
0  A  rd{b ,  k )  >  0  where  k  is  a  specific  integer  constant.  If  Itp 
returns  interpolants  of  the  form  rd(a,  k )  =  rd{b ,  k),  it  is  easy 
to  see  that  SPACER  would  not  terminate  even  for  N  =  0. 

To  help  alleviate  the  problem  of  non-termination,  we  can 
modify  DecideMust  and  DecideMay  as  follows.  Let  r/>  be  the 
result  of  Mbp  in  the  rules,  using  a  given  model  M.  For  every 


pair  of  array  terms  a,  b  in  ijj,  we  strengthen  if)  with  the  array 
equality  a  =  b  or  disequality  a  ^  b.  depending  on  whether 
M  \=  a  =  b  holds  or  not.  In  the  above  example,  the  queries 
will  now  be  of  the  form  rd(a,  k)  <  0  A  rd(b,k)  >  0  A  a  ^  b. 
However,  rd{a,k)  =  rd(b,k)  continues  to  be  an  interpolant 
whereas  the  desired  interpolant  is  a  =  b.  To  reduce  the  depen¬ 
dence  on  specific  integer  constants  in  the  learnt  interpolants, 
and  hence  in  the  may  summaries,  we  can  further  modify 
Conflict  as  follows.  Let  T(Oi)  =>  -> ip'  as  in  Conflict, 

and  let  ip  =  tpi  /\  ip2  where  ip2  contains  all  the  literals  where 
an  integer  quantifier  is  substituted  using  its  interpretation  in  a 
model.  Using  a  minimal  unsatisfiable  subset  (MUS)  algorithm, 
we  can  generalize  ip2  to  (p 2  such  that  J-(Oi)  A  (<^i  A  <p2 )'  is 
unsatisfiable  and  then  obtain  Itp(.F((D;),  ->  (ipi  A  fa)')-  In  the 
above  example,  for  i  =  0,  T(O0)  =  {a  =  6),  =  (a  ^  b), 

and  p2  =  rd(a,k)  <  0  A  rd(b,k)  >  0.  One  can  show  that 
(p2  is  simply  T  and  the  only  possible  interpolant  is  a  =  b.  In 
our  implementation,  we  add  such  (dis-)equalities  on-demand 
in  a  lazy  fashion.  Note  that  adding  such  (dis-)equalities  to  the 
queries  is  only  a  heuristic  and  may  not  help  with  termination 
in  all  cases. 

VI.  Experimental  Results 

We  have  a  prototype  implementation  of  the  algorithms 
described  so  far  in  our  tool  SPACER.1  Although  the  description 
so  far  has  focused  on  the  canonical  form  of  CHCs  in  (4), 
SPACER  can  handle  arbitrary  CHCs.  To  verify  C  programs, 
we  use  SeaHorn  [12],  which  uses  the  LLVM  infrastructure 
to  compile  the  input  program,  optimize  it,  and  encode  the 
verification  conditions  as  CHCs  using  the  SMT-LIB2  format, 
which  is  then  input  to  Spacer.  Among  other  options,  Sea- 
Horn  can  avoid  inlining  procedure  calls  before  encoding  the 
problems  as  CHCs. 

We  evaluated  Spacer  using  benchmarks  from  the  software 
verification  competition  SV-COMP’  15  [  I  ].  The  only  other  tool 
that  is  similar  to  SPACER  is  the  implementation  of  GPDR  [15] 
in  Z3  [9],  with  the  key  differences  being  the  use  of  must 

1  https://bitbucket.org/spacer/code 
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Fig.  9:  Advantage  of  inter-procedural  encoding  using  SPACER. 
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Fig.  10:  SPACER  vs.  Z3  on  hard  benchmarks  (a)  with  and  (b)  without  inlining 

summaries  and  MBP  which  are  only  present  in  SPACER. 
To  evaluate  the  features  in  SPACER,  we  considered  the  215 
benchmarks  from  the  Device  Drivers  category  where  Z3 
needed  more  than  a  minute  of  runtime  or  could  not  be  verify 
within  the  resource  limits  of  SV-COMP  [13],  All  experiments 
have  been  carried  out  on  an  Ubuntu  machine  with  a  2.2  GHz 
AMD  Opteron(TM)  Processor  6174  and  516GB  RAM  with 
resource  limits  of  30  minutes  and  15GB  for  each  verification 
task.  In  the  scatter  plots  that  follow,  a  diamond  indicates  a 
time-out,  a  star  indicates  a  mem-out,  and  a  box  indicates  an 
anomaly  in  the  implementation. 

(a)  Advantage  of  modularity  in  encoding  C  programs.  As 
mentioned  in  Sec.  I,  a  key  motivation  for  this  work  is  to  verify 


a  program  while  preserving  the  procedural  modularity  and 
avoiding  inlining  procedure  calls.  While  being  advantageous 
from  a  usability  perspective,  we  observed  that  preserving  the 
modularity  also  makes  verification  easier.  The  scatter  plot  in 
Fig.  9  compares  the  overall  time  taken  for  the  CHC  encoding 
and  Spacer’s  verification,  when  inlining  in  SeaHorn  is 
turned  on  and  off,  showing  an  advantage  when  it  is  turned 
off. 

(b)  Advantage  of  our  compositional  framework.  To  see 

the  effect  of  must  summaries  and  MBP  (for  LIA  and  ARR), 
we  compared  Z3  and  SPACER.  The  scatter  plots  in  Fig.  10(a) 
and  10(b)  compare  the  tools  on  the  CHCs  obtained  when 
inlining  in  SeaHorn  is  turned  on  and  off,  respectively.  In 
both  cases,  we  clearly  see  that  SPACER  has  a  significant 
advantage.  Note  that,  in  the  latter  case,  Z3  runs  out  of  time 
on  most  of  the  benchmarks  verifying  10  programs  (3  safe;  7 
unsafe)  while  SPACER  can  verify  97  programs  (21  safe;  76 
unsafe).  We  should  mention  that  of  the  7  unsafe  programs 
verified  by  Z3,  5  could  not  be  verified  by  SPACER. 

In  summary,  we  believe  SPACER  is  a  valuable  addition  to 
the  state-of-the-art  as  shown  above  by  its  practical  advantage 
on  some  hard  device  driver  benchmarks. 

VII.  Related  Work 
VIII.  Conclusion  and  Future  Work 
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